Privacy Policy

We collect only what we need to run the Service:

Account data

• Email and password (the password is hashed by our auth provider; we never see the plaintext)
• Full name (if you provide it during onboarding)
• Account creation date and last sign-in timestamps

Business profile

• Service niche (e.g. personal trainer, yoga instructor) and free-text custom niche description
• Work style (full-time or side-hustle), country, city
• Certifications you list
• Language preference

Progress and content

• Which tasks and phases you've completed, task responses you type in, current streak and badges
• Chat messages you exchange with the AI coach, stored locally in your browser and processed server-side to generate a response
• Any templates or notes you save through the app

Payment data

• Stripe customer ID, checkout session ID, payment status, upgrade timestamp. We don't see your card number, CVC, or expiry — those are handled directly by Stripe.

Technical data

• IP address and user-agent (logged by our hosting provider for security and abuse prevention)
• AI usage counters (daily quota tracking) — endpoint name, timestamp, token counts

Under GDPR we rely on these legal bases:

• Contract (Art. 6(1)(b)) — to create your account, deliver phase content, run the AI coach, process payments, and provide support.
• Legitimate interest (Art. 6(1)(f)) — to prevent fraud and abuse, secure the Service, and improve it based on aggregate patterns. We balance this against your rights and use minimal data.
• Legal obligation (Art. 6(1)(c)) — to keep payment records and respond to lawful requests from authorities.
• Consent (Art. 6(1)(a)) — for anything outside the above (e.g. optional marketing emails). Consent can be withdrawn at any time.

We use a small number of trusted sub-processors. We share only what each one needs to do its job.

• Supabase — auth, Postgres database, file storage. Your account data, business profile, progress, and chat history are stored here.
• Stripe — payment processing. Stripe receives your email (to email you a receipt), card details, and purchase info. Read Stripe's privacy policy.
• OpenAI— when you send a message to the AI coach, we send a bounded snippet of your business profile (niche, country, work style) plus the last ~10 messages in the conversation to OpenAI's API so it can produce a relevant reply. OpenAI's API terms say they do not use API inputs to train their models, but responses are retained briefly for abuse monitoring. Read OpenAI's privacy policy. Don't put secrets, health info, or regulated data into coach chats.
• Vercel — hosts the Leapo web application and handles HTTPS, CDN caching, and server function execution. Vercel sees request metadata (IP, URL, status code) but not the content of your account data unless a request body explicitly contains it. We also use Vercel Analytics (aggregate pageview counts) and Speed Insights (Core Web Vitals measurements). Both are cookieless, GDPR-compliant, and collect no personally identifiable information — just bucketed metrics about which pages are visited and how fast they load.
• Sentry (EU-region, Frankfurt) — captures unhandled errors with stack traces, the URL path where they happened, and browser/OS metadata so we can fix bugs. IP addresses are stored by Sentry for up to 30 days and used only for rate-limiting and geolocation aggregation.
• Email provider (via Supabase Auth) — sends sign-up confirmations, password-reset links, and other transactional mail.

We do not sell your data, share it with advertisers, or use it for retargeting.

Our sub-processors may process data in the United States and other countries outside the European Economic Area. Where required, transfers rely on European Commission Standard Contractual Clauses (SCCs) or equivalent safeguards. If you want the specific SCCs applicable to a transfer, email us.

• Account + business profile + progress: for as long as your account exists. If you delete your account, this data is removed within 30 days, except where we must keep it for legal reasons.
• Payment records: retained for 7 years to meet tax and accounting obligations (exact period depends on your country and ours).
• AI coach chat history:stored in your browser's localStorage (so only you can see it) and cleared when you click "Clear chat" or when you sign out. We log usage counters (not full message content) server-side for quota enforcement.
• Security logs: up to 90 days.
• Anonymized / aggregate data(e.g. "X% of users completed phase 3") may be kept indefinitely.

Under GDPR and similar laws, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data (most of it is editable in Settings)
• Erase your data (delete your account)
• Restrict or object to certain processing
• Port your data in a machine-readable format
• Withdraw consent where processing is based on consent
• Complain to your local data protection authority (for EU residents, the authority in your country of residence; e.g. the Belgian DPA, the CNIL in France, the ICO in the UK)

To exercise any of these rights, email [privacy@leapo.app]. We'll respond within 30 days (sometimes up to 60 days for complex requests; we'll tell you if so).

We use a minimal set of cookies and browser storage:

• Session cookie (Supabase)— strictly necessary to keep you signed in. Without it the app can't work.
• localStorage (Leapo) — stores your language preference, onboarding draft data, and AI coach chat history locally on your device only (not sent to our servers for those specific items).

We don't set advertising or cross-site tracking cookies. Vercel Analytics and Speed Insights (see §3) are cookieless and collect only aggregate pageview / performance metrics with no personally identifiable information, so no cookie banner is required under GDPR.

We use HTTPS everywhere, encrypted storage at rest (via Supabase/AWS), hashed passwords, Row-Level Security in the database so users can only read their own rows, and signed webhook verification for payment events. Despite our precautions, no online system is 100% secure. If we become aware of a breach affecting your personal data, we'll notify you and the relevant authorities as required by law.

Leapo is not aimed at children. We don't knowingly collect personal data from anyone under 16 (or the higher age of digital consent in your country). If you believe a child has given us personal data, email us and we'll delete it.

If we change how we handle your data in a meaningful way, we'll notify you in the app and/or by email at least 14 days before the changes take effect. The "Last updated" date at the top always reflects the current version.

Privacy questions, rights requests, or complaints:

• Email: [privacy@leapo.app]
• Postal: [LEGAL ENTITY NAME, REGISTERED ADDRESS]